Hi,
I have recently been adding stuff into my HA deployment and decided to send events out to my Splunk instance to see what i could do in Splunk.
I had some troubles and went from one end of the internet to the other trying to resolve it to get it working.
I am running Splunk Enterprise 9.1.1 on CentOS8
In the hopes this might help someone else, my experience as follows…
On your Splunk instance
Download and deploy the HA Splunk app found here: HomeAssistant app for Splunk | Splunkbase
Add a new index called “homeassistant” to your Splunk instance
Add a new HEC token and enable global HEC settings (if you have not already done so. I have SSL disabled and no indexer ack)
Make a note of your HEC token
Read this: Splunk - Home Assistant
Add the following to your HA configuration.yaml (i added mine at the end)
# add splunk integration
splunk:
token: <Your_Splunk_HEC_token>
host: <IP_of_Your_Splunk_server>
port: <HEC_port_on_your_splunk_server>
ssl: false
verify_ssl: false
reload the HA configuration and/or restart as needed.
Test that your Splunk server is receiving HEC events in correctly by running the following on your Splunk server console.
curl -k http://<IP_of_Your_Splunk_server>:8088/services/collector/raw -H "Authorization: Splunk <Your_Splunk_HEC_token>" -d 'hello from local'
Check Splunk to see if it captured that event
Test that your Splunk server is receiving HEC events from HA correctly by running the following on your HA server. (hint: use alt-F2 to get an another console session where you an execute commands)
curl -k http://<IP_of_Your_Splunk_server>:8088/services/collector/raw -H "Authorization: Splunk <Your_Splunk_HEC_token>" -d 'hello from remote'
Check Splunk to see if it captured that event by running the following search in Splunk.
index="homeassistant"
Troubleshooting
Check that the OS firewall on your Splunk server is passing TCP/8088. If not, add it. (firewall-cmd or iptables, or windows ??)
If you run HA on a different network zone to your splunk server eg an IOT zone. Check that the network firewall rules between zones allow your HA host to send TCP/8088 to your Splunk server (I use pfsense)
The HA host firewall allows everything outbound, so that should not be an issue.
So what was my issue?
I run HA in a different network zone to my Splunk server and I had not previously configured HEC on my Splunk instance. So I had to enable HEC on Splunk, then allow inbound TCP/8088 on the Splunk host firewall and then I had to create a rule on my network firewall to allow the HA host to send TCP/8088 to my Splunk host.
Splunk app. Yep, so its getting data in ok now, but it hasn’t been updated since 2016, but the bones are good. Your index will need to be called “homeassistant” to make it work out of the box.